HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free and registered users see less advertising! If you just want to browse through the existing questions, just select the forum that you want to visit from the selection below. Otherwise, click here to register!. We highly recommend that you print a copy of our Guide for New Members. Enjoy!

(All the correct modules are compiled into the kernel) Some of those lines may be wrapped over so forget them

Now as far as I can work out, this should masq my connections alright. I'm sticking OpenBSD on another computer in the next couple of days and would like to use ports to install a few things over my network. Will this script do masq alright for me?

Re:Will masq work?

As far as I can see, the script should work fine. If you want to do full connection tracking you should replace your default accept all OUTPUT and FORWARD rule with a stateful rule using -m state --state NEW, to match your ESTABLISHED and RELATED input rulesets. One thing though, the script does not masq (meaning NAT) your connetion. It does firewall your LAN though.

Re:Will masq work?

To NAT your connection you need to add this line to your script.

Code:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

I would make it one of the top most rules.

Also, if you don't plan on NATting this box, you will need to modify your FORWARD ruleset. Right now its allowing all out going packets from eth0 to ppp0, but it is not allowing any traffic back into the LAN (established, related). If you do NAT this connection, I don't think you will need to worry about forwarding from ppp0 to eth0 (WAN to LAN), since LAN bound packets will be destined for ppp0.

Now, as far as I can work out, NAT should work right? Well for some reason its not. Might it be that I haven't set up my clients properly?

[edit] Running traceroute tells me that the packets from my client is delivered to my gateway. So my theory is that either the packets are not being allowed back in, or they are not being sent by the gateway.

Re:Will masq work?

I now believe that my script is stopping the packets before they even get out onto the net. I've tried pinging ip addresses but kppp tells me that no bytes went out as I was trying to ping the ip address (The ip was google so I should have been getting a response)

Re:Will masq work?

So the last script works right? If so, I would imagine that the problem was corrected by the NEW state in your forward rulesset. The other scripts did not allow for packets other than established and related to pass from one interface to the next. Since no NEW packets could be forwarded through your box, no connections could be established to begin with. Remember, packets with a new state are the first part of the tcp/i three-way handshake.

Whenever I debug firewalls I log everything to the console and create different log prefixes for different rulessets so I can see at what point things are failing.

One question though. When you flush the default policy at the beginning of your script, you still have

Code:

iptables -P FORWARD DROP
iptables -F FORWARD

Did you want this to be accept?

Another good thing to do is have a freind nmap your external interface, in addition to trying to connect to internal servers or scan beyond your firewall, just to make sure for a fact your firewall is working.

I once built a firewall, but screwed up my forwarding ruleset. Since my input ruleset was working correctly, nmapping the external interface showed that packets were being rejected. At this point I said &quot;ok everything works fine.&quot; However, a week later, I was able to hit internal webservers from the extranet and only then did it dawn on my that I had misconfigured my forward ruleset and that my firewall was esentially a POS.